Friday, September 8, 2017

Automate OpenSSL to pull a certificate thumbprint for an OIDC IDP

How to automatically pull the certificate thumbprint for an Open Identity Connect Providers certificate instead of the manual process described at

You could use this process along with 'aws iam update-open-id-connect-provider-thumbprint' to automate the process of regularly pulling the certificate from your IDP and updating it's thumbprint in IAM.

code can be found at:


# The purpose of this script is to automate the process described in the link below
# Use this script at your own risk
# Obtaining the Thumbprint for an OpenID Connect Identity Provider

#requires bash
#requires jq package
#requires perl
#requires openssl

#set the oidc idp URL
my $idpURL='';

my $cmd='curl -s ' . $idpURL . ' |jq -r \'.jwks_uri\'';

#run output of curl through jq
my $jwksURI=`$cmd`;

#cut off prepended https://
my $fullURL=substr($jwksURI, 8);

#cut off host of URL
my $hostURL=substr($fullURL, 0, index($fullURL, '/'));

$cmd='openssl s_client -showcerts -connect ' . $hostURL . ':443 </dev/null 2>/dev/null';

#use ssl_connect to get certificate chain
my $sslclientoutput=`$cmd`;

#cut junk off beginning of last cert
my $lastcertsub1=substr(substr($sslclientoutput, rindex($sslclientoutput, 'BEGIN')-5), 'END');
#cut junk off end of cert
my $lastcert=substr($lastcertsub1, 0, index($lastcertsub1, 'END')+20);

#create pem file
$cmd='echo "' . $lastcert . '" >oidcert.pem';

$cmd='openssl x509 -fingerprint -noout -in oidcert.pem';
my $opensslfinger=`$cmd`;

#cut off junk at beginning
my $fingerprint=substr($opensslfinger, index($opensslfinger, '=')+1);

#get rid of colons
$fingerprint =~  s/://g;

print $fingerprint